Stuxnet Analysis Backs Iran-Israel Connection

← Back to Stories (view on slashdot.org)

Stuxnet Analysis Backs Iran-Israel Connection

Posted by Soulskill on Friday October 1, 2010 @10:32AM from the my-god-has-a-bigger-firewall-than-your-god dept.

Trailrunner7 writes "Liam O'Murchu of Symantec, speaking at the Virus Bulletin Conference, provided the first detailed public analysis of the worm's inner workings to an audience of some of the world's top computer virus experts. O'Murchu described a sophisticated and highly targeted virus and demonstrated a proof of concept exploit that showed how the virus could cause machines using infected PLCs to run out of control. Though most of the conversation about Stuxnet is still based on conjecture, O'Murchu said that Symantec's analysis of Stuxnet's code for manipulating PLCs on industrial control systems by Siemens backs up both the speculation that Iran was the intended target and that Israel was the possible source of the virus. O'Murchu noted that researchers had uncovered the reference to an obscure date in the worm's code, May 9, 1979, which, he noted, was the date on which a prominent Iranian Jew, Habib Elghanian, was executed by the new Islamic government shortly after the revolution. Anti-virus experts said O'Murchu's hypothesis about the origins of Stuxnet were plausible, though some continue to wonder how the authors of such a sophisticated piece of malware allowed it to break into the wild and attract attention." Symantec has also issued a lengthy and detailed dossier on Stuxnet (PDF).

17 of 307 comments (clear)

Min score:

Reason:

Sort:

Wait a minute. by Moryath · 2010-10-01 10:40 · Score: 5, Insightful

So the entire idea of the "Israel created this to attack Iran" idea is based on finding the date May 9, 1979 hidden in the code - and that because it's the first day the current theocratic asshats running Iran beheaded the first Jew of their despotic regime? Really?
This is like playing Nostradamus. Pluck something vague, go hunting, and see what you can say later to claim you "predicted it." For instance, in Eastern bloc countries, May 9 1945 is "Victory Day." I'm sure some prominent politician somewhere in there also died on May 9, 1979. A google search for that date came back with 196,000 results just on the precise phrase "May 9, 1979".
Ridiculous.
1. Re:Wait a minute. by Moryath · 2010-10-01 10:48 · Score: 5, Insightful
  
  Dozens of regimes have the motivation, capability and demonstrated willingness to do things like this.
  Hell, thousands of hackers across the world have the motivation, capability, and demonstrated willingness to do things like this. And that's not even before we get to the professional virus-writers that are tied in with outfits like yakuza and russian mafia gangs these days operating various blackmail/extortion gambits.
  It sounds more like the "idea" is based on someone who has some grudge against Israel and found a convenient outlet for it, just like all the other "waah the jews did it" conspiracy theories that always sprout up - including the dork who posted a "jews also did wtc" in the first post (thankfully probably trollmarked down to -1 by now) to this article.
2. Re:Wait a minute. by Patch86 · 2010-10-01 10:50 · Score: 5, Funny
  
  So are we claiming that development on Stuxnet started on 9/5/1979 in reaction to this execution? (Did Siemans even make industrial control computers in the 70s?) Or are we claiming that the "authors of such a sophisticated piece of malware" decided to plant a trail of clues, like some sort of cartoon villains?
  They would have got away with it too, if it weren't for those meddling Symantec engineers.
3. Re:Wait a minute. by polle404 · 2010-10-01 11:04 · Score: 4, Insightful
  
  funny, yesterday it was an obscure bible reference that supposedly proved Israeli mischief
  http://gizmodo.com/5652032/the-secret-code-inside-the-supervirus-attacking-iran-nuclear-power
  
  Sounds like someone has found someone to blame, and are desperately searching for "evidence" to back it up
  
  --
  
  ~men are from earth. women are from earth. deal with it.~
4. Re:Wait a minute. by PopeRatzo · 2010-10-01 11:34 · Score: 4, Funny
  
  Israel definitely has motive and means to be behind the worm.
  You better be careful. Rick Sanchez just said that Jews control all the ISPs and you might have your Internet connecti...{NO CARRIER}
  
  --
  You are welcome on my lawn.
5. Re:Wait a minute. by The+Ultimate+Fartkno · 2010-10-01 11:51 · Score: 5, Funny
  
  Now that's just being anti-Symantec.
  (alt: anti-Siemantic. You pick.)
6. Re:Wait a minute. by siddesu · 2010-10-01 12:33 · Score: 4, Insightful
  
  Hehe, mod parent up.
  The "EU" as a "state actor" is rich. If there is anything that is farther from a "state actor" in the world today (excluding maybe the UN), it is the EU. They can't make a decision on how to tie their collective shoes together, much less conspire to attack a foreign country.
  Look at the EU's "common position" on the Iran sanction proposals for the spine, resolution, unity and swift action the "state actor" has...
7. Re:Wait a minute. by unitron · 2010-10-01 12:57 · Score: 4, Informative
  
  Who else does Iran sell these PLC's to?
  Iran doesn't make and sell them, Siemens does.
  
  --
  I see even classic Slashdot is now pretty much unusable on dial up anymore.
Proof??? by ArieKremen · 2010-10-01 10:41 · Score: 5, Insightful

They were smart enough to write and deploy a complex virus, but stupid enough to include a reference to an obscure execution date of a prominent Iranian Jew; the first .Google hit conveniently pointing to the relevant Wikipedia entry. That screams red herring (en.wikipedia.org/wiki/Red_herring_(idiom)), not proof.

--
-- Cave quid dicis, quando, et cui
Ya by Sycraft-fu · 2010-10-01 11:06 · Score: 4, Interesting

This is compounded by the problem that people are presupposing the answer. From the start, it seems people have assumed this MUST be an attack against Iran and thus done by the US or Israel. As such their thought process is "Find evidence of US or Israeli involvement," and not "Try to find out the source of the attack."
If you look hard enough for evidence of something, you'll often find it, even when there isn't any, particularly when the standard for evidence is low. Same kind of shit with all the 9/11 conspiracy. People doing 9s 11s and so on all over the place. Snopes did a great bit choosing another number and showing how that was all over the place too.
Sorry, but I'd require a significant amount for than this to be convinced. This isn't evidence, it is speculation at best and conspiracy mongering at worst.
1. Re:Ya by LWATCDR · 2010-10-01 13:19 · Score: 4, Interesting
  
  Well let's make a list of the countries that have the resources to do this and the motivation.
  1 The US.
  2. Israel.
  We know both of their motivations but I can think of a lot more.
  3. India. A nuclear Pakistan is bad enough without a Nuclear Iran.
  4. Russia. Blow up some stuff sell them new stuff. Repeat until rich. Plus Russia has no real desire to have a nuclear Iran on it's door step.
  5. Saudi Arabia. They have the money and no Love for Iran.
  6. France. They where allies with Iraq durring the Iraq Iran war. They don't want Iran to be a member of the Nuclear Club.
  7, Germany. The PLC where made by a German company. They have no desire to see Iran have nukes.
  In fact you can put all of Europe down as have both the motivation and the ability "Okay maybe not Luxembourg" to pull off this attack.
  And most of the Middle East as well has motivation and a team of CS majors with a hacking talent can not be that hard to find.
  8. China. They are now a world power. They do not need Iran trying to stir up trouble.
  9. The UK. I mean really that should be a given.
  So about the only nations with a large industrial base and high levels of education that I would rule out are.
  Canada, Australia, New Zealand, Japan, South Africa and Brazil. And frankly any one of them could have done it just to defuse the issue and try to stop a nuclear war in the middle east.
  Frankly I don't think that Israel or the US would have put a date in pointing to Israel.
  Now Russia on the other had I could see doing it. But it is all guess work with no proof at this point.
  
  --
  See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Really?!? This is front-page quality? by ZuchinniOne · 2010-10-01 11:07 · Score: 4, Insightful

Technical analysis aside, all these Israel claims are based on huge assumptions and zero concrete evidence. Even if Israel did create this virus why would they put references in the code that led back to them?
It's called circumstantial evidence by Zocalo · 2010-10-01 11:13 · Score: 4, Insightful

And it adds up. Besides the "date", admittedly a bit of a stretch as you note, there are also references to "Myrtus" within a path left in the code. Myrtus, a type of myrtle, is possibly a biblical reference to the Book of Esther (Esther was originally called Hadassah - similar to the Hebrew word for myrtle) in which Jewish forces, after unraveling a Persian attack plan, stage a preemptive and successful assault against their adversaries. There is also the level of knowledge required for the targeting of Stuxnet, including highly specific details about its intended target that would have required internal knowledge of the kind that is likely to require espionage to acquire. Finally, there is also a cut-off date of June 24, 2012 when Stuxnet will go dormant. While not unheard of in the world of more conventional botnets, this is decidedly unusual and further points to a nation state's involvement.

Taking all that together, I think it's fairly reasonable to limit the list of suspects to those countries with a reason to be wary of Iran's nuclear program - of which there are, admittedly, quite a few. However, Israel does have a track record for being decidedly unsubtle when it is being proactive about such things, viz the 2007 air raid on one of Syria's nuclear facilities, or the murder of Mahmoud_al-Mabhouh.

--
UNIX? They're not even circumcised! Savages!
1. Re:It's called circumstantial evidence by Moryath · 2010-10-01 11:33 · Score: 4, Funny
  
  admittedly a bit of a stretch as you note, there are also references to "Myrtus" within a path left in the code. Myrtus, a type of myrtle, is possibly a biblical reference to the Book of Esther (Esther was originally called Hadassah - similar to the Hebrew word for myrtle)
  So now we're working off the "this word sounds like this word which is another word for this word" theory?
  Lessee. "May" is a synonym with "shall"... which sounds a lot like "challa"... which is a lovely tasty breadstuff usually eaten by... JEWS! AAAUGH! RUN FOR YOUR LIVES!
  Of course, that's the point of all this meaningless bullshit. You're looking for obscure connections trying to "prove" your own biases. Nothing more.
2. Re:It's called circumstantial evidence by Jah-Wren+Ryel · 2010-10-01 12:23 · Score: 4, Informative
  
  there are also references to "Myrtus" within a path left in the code.
  
  Considering the virus targets the PLCs in SCADA systems where RTUs are standard system components, I'm willing to bet that "myrtus" is short for something like "My RTU Source" rather than an obscure reference to guavas.
  
  --
  When information is power, privacy is freedom.
Re:Really?!? This is front-page quality? by SplashMyBandit · 2010-10-01 11:13 · Score: 4, Insightful

Exactly. It shows how badly the people analyzing the worm would like it to tie it back to a super-secret Mossad operation. Talk about "confirmation bias"!
Ah, yes, the world is a scary place isn't it by SmallFurryCreature · 2010-10-01 22:11 · Score: 4, Insightful

Your arguments sound and awfull lot like people who argue 9/11 was a government plot. Why do they argue this? Because they are afraid and can't deal with a world were a random group of individuals can do such a complex thing.
This is especially amazing as a story running at the same time is about the leaked Intel key. And of course the ongoing story of the PS3 being cracked.
Random individuals are a lot more resourceful then some people are willing to give them credit for. But blaming a shadow government for it is far easier to cope with because that means at least someone is in charge. In control.
Those "stolen" certificates also mean nothing. They get "leaked" all the time. Case in point, the Intel key, which was a LOT more valuable then the keys in this worm.
As for hackers knowing about Siemens... that is so easy and trivial to explain I hard find it worth the effort. But it is PUBLIC knowledge who supplies Iran with its tools. Export bans and all make sure everything has to be declared.
No, I look deeper and look at the fact this worm was so quickly discovered and so handily easily decoded with all these handy clues pointing to Iran's enemies. Mmm, a virus outbreak in Iran that nobody else notices, spreads uncontrollably yet then is near instantly dissected and points towards Iran's standard scape goats.
Gosh, how convenient.
Zero day exploits are a dime a dozen, smart people the same. This is just a worm that worked its magic in a mono-culture. The moment I start thinking "government conspiracy" is when someone reveals anything about the data transferred.
WHY would Israel do this? They got far better methods available. And they don't need to disable a windows PC of a nuclear reactor office workers. They got reliable aircraft to do that that send a far stronger message. They got plenty of experience with it.

--

MMO Quests are like orgasms:
You may solo them, I prefer them in a group.