Clues emerge about genesis of Stuxnet worm

Researchers analyzing the Stuxnet cyberweapon have found references in its code that could indicate that it was created in Israel. The hint to the weapon’s origin comes as new information was shed on the virus Thursday during the Virus Bulletin conference in Vancouver, Canada, and amid reports in Chinese media that Stuxnet has widely impacted the Internet-savvy country.

The New York Times reported Thursday that Stuxnet, a powerful computer virus of unknown origin, contains a file named “Myrtus,” which may reveal the virus’s origin in a Da Vinci Code-esque fashion. The “Robert Langdon” on the case is a German computer security expert named Ralph Langner.

Although myrtus has several possible meanings – including being Latin for the plant myrtle – Mr. Langner noted that it may be an allusion to the Hebrew word for Esther. He pointed out that the Book of Esther features a plot by Persia against the Jews, who preemptively attacked in response.

“If you read the Bible you can make a guess,” said Mr. Langner, in a telephone interview from Germany on Wednesday.

Carol Newsom, an Old Testament scholar at Emory University, confirmed the linguistic connection between the plant family and the Old Testament figure, noting that Queen Esther’s original name in Hebrew was Hadassah, which is similar to the Hebrew word for myrtle. Perhaps, she said, “someone was making a learned cross-linguistic wordplay.”

Another clue toward the maker could be in the number “19790509,” which appears in Stuxnet’s code. It could be a reference to the 1979 execution of a prominent Jewish Iranian businessman, according to a research paper presented by researchers Thursday at the Virus Bulletin conference, Computerworld reported.

In a report on the conference, which was dominated by talk of Stuxnet, National Public Radio says many experts believe Israel may have developed the cyber weapon as an alternative to a physical attack on Iran in the hope of minimizing blowback.

After all, hitting the nuclear plant with a 500 pound bomb would have produced far more collateral damage than attacking it with a cyber weapon, right?

Cybersecurity consultant [Stephen] Spoonamore is not so sure. “Compared to releasing code that controls most of the worlds’ hydroelectric dams or many of the world’s nuclear plants or many of the world’s electrical switching stations? I can think of very few stupider blowback decisions,” Spoonamore adds

The Times adds that Israeli experts dispute that Stuxnet is an Israeli weapon against Iran, arguing instead that their studies indicate the virus is either “high-level industrial espionage against Siemens [whose systems the virus takes advantage of, or] a kind of academic experiment.”

Nonetheless, some experts believe the Stuxnet weapon was targeted at the Bushehr nuclear power plant in Iran. The Christian Science Monitor reported Wednesday that the launch of the new plant – which could be used to produce fuel for nuclear weapons – has been pushed back by three months, possibly due to infection by Stuxnet. Although Iranian officials have denied that the plant has been infected by Stuxnet, Langner told the Monitor on Sept. 21 that he suspects the plant was indeed the victim of Stuxnet, which is designed to destroy a specific physical facility rather than steal or corrupt information.

“Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world,” says Langner, who last week became the first to publicly detail Stuxnet’s destructive purpose and its authors’ malicious intent. “This is not about espionage, as some have said. This is a 100 percent sabotage attack.” …

A geographical distribution of computers hit by Stuxnet, which Microsoft produced in July, found Iran to be the apparent epicenter of the Stuxnet infections. That suggests that any enemy of Iran with advanced cyber war capability might be involved, Langner says. The US is acknowledged to have that ability, and Israel is also reported to have a formidable offensive cyber-war-fighting capability.

A column in today’s Jerusalem Post praises Stuxnet as “a great achievement” if it is indeed an Israeli weapon. But it remains uncertain what Stuxnet’s target is and what its origin might be. Security expert Jeffrey Carr writes on his blog for Forbes that “there are more and better theories to explain Stuxnet’s motivation than just Israel and Iran.”

India and China are both concerned that they have been targeted. Noting that a key Indian satellite using Siemans technology went offline with a power glitch in July, Mr. Carr suggests that Stuxnet may have attempted to affect the race between China and India to put a man on the Moon.

Meanwhile in China, Xinhua reports that more than 6 million personal computers and 1,000 corporate computers have been infected by Stuxnet. China has become increasingly concerned over the Stuxnet threat, especially as the country enters a holiday weekend during which it may be particularly vulnerable, reports Agence France-Presse.

You can also learn about all our free newsletter options.

Comments (2)

  1. Submitted by Josh Williams on 10/01/2010 - 09:53 am.

    I find this continuing story to be endlessly fascinating. That is all.

  2. Submitted by Michael Zalar on 10/04/2010 - 01:18 am.

    I find it a bit scary. Lets say Iran manages to figure out the code and then hands it off to a computer savy terrorist organization.
    I really dont trust the level of cybersecurity in the US – a well organized cyber strike, even if it only reaches a few of its intended targets, could effectively cripple America.

Leave a Reply