The highly sophisticated SCADA-attacking Stuxnet worm first came under notice in July 2010 when a rootkit driver used by the worm was found to have been signed by a stolen Realtek certificate.
Since the Stuxnet discovery, security researchers and laypersons across the globe have been busy reverse engineering and analyzing clues in the worm's code. Some have proffered their opinion that Stuxnet was the work of the Israeli government, targeted against Iran.
Unfortunately, much of these conclusions were based not an actual analysis, but instead by reading Wikipedia articles.
Following are the common points made in the Israel targeting Iran theory:
1. Stuxnet contains the string 19790509 - obviously a date of May 09, 1979. That date coincides with the Iranian's execution of Habib Elghanian, a prominent Jewish businessman in Iran as seen in this Wikipedia article.
2. The Stuxnet rootkit driver includes the path b:\myrtus\src\objfre_w2k_x86\i386 \guava.pdb. According to Wikipedia:
"Hadassah means 'myrtle' in Hebrew. It has been conjectured that the name Esther is derived from a reconstructed Median word astra meaning myrtle."
3. Stuxnet infections are most prolific in Iran, therefore Iran must be the target.
All this 'evidence' sounds pretty compelling, right? Actually no. Let's take a look at each, plus introduce some of the ignored evidence also contained within the Stuxnet worm's code.
1. The 19790509 string. Certainly it is a date, yes. Is it a date that the people of Israel would hold close to their hearts? Probably not. Habib may have been Jewish, but he was also an Iranian citizen - not an Israeli. It's doubtful most people from Israel have even heard of him. On the date of his execution for alleged spying, he was put to death alongside 37 other men (most of whom were also convicted of spying). He was the only Jewish person among them.
2. Remember that file path of b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb? Esther would be a pretty obscure connection. Myrtus is much more commonly known as the botanical term for myrtle, a family of plants that include flowering trees and other plants such as garlic, eucalyptus, and even guava. Myrtus could also easily be construed as My RTUs. In SCADA environments, RTU is a commonly used term for remote terminal unit. Isn't it more plausible that the Stuxnet author named the folder myrtus (meaning My RTUs) then realized it also read myrtus, the botanical term, and hence named his file guava?
3. Regarding the worm's infection rate, Stuxnet's geographical distribution is impossible to quantify. Initial reports are skewed by vendor distributions in any given area. Sell more antivirus in Iran than you do in Indonesia? Chances are you will see more Stuxnet in Iran than you would in Indonesia.
After infecting a machine, the Stuxnet worm makes outbound connection attempts to mypremierfutbol.com and todaysfutbol.com. Subsequent reports gathered by intercepting the worm's 'phone home' traffic are biased by two factors. SCADA systems are generally not Internet connected; only those systems infected that have a live connection will make that outbound attempt. Second, the systems that are getting infected are a reflection of systems not protected by antivirus. Those systems encountering the worm but which are adequately protected will not get infected and thus will not make that outbound attempt.
Further, not a single researcher disagrees that Stuxnet is a highly sophisticated worm. Stuxnet was specifically designed to jump to machines that were not Internet connected. It was designed to spread through SCADA systems, the control centers for critical infrastructure. Given it's sophistication and steroidal worm capabilities, it's difficult to believe the spread is just one big 'oops'.
4. The Stuxnet worm includes a kill date (a date after which it will self destruct). That kill date is June 24, 2012. Astrologically and astronomically, June 24, 2012 is the date that Pluto in Capricorn squares off against Uranus in Aries. Referred to astrologically as the grand cross, it is allegedly the kickoff for a 3 year period of revolutionary changes that eventually lead to a single world government (aka World War III). Or as other toothsayers allege, it's also the kick off for the beginning of the end of the world as we know it in December 2012, based on Mayan Calendar interpretations.
Perhaps what we really have here is someone born on May 9, 1979, probably male. This 31 year old Taurus is very adept at programming and probably has first-hand knowledge of SCADA systems. He has enough patience and determination to ferret out 4 separate zero day vulnerabilities - the kind of determination driven more by emotion than money. He's studied botany enough that when he typed a folder name for "my RTUs" he instantly realized it matched myrtus aka the myrtle genus, and hence named the file guava. He also natively equates soccer with futbol. He may have strong environmental opinions and more than a casual interest in astrology.
But the one thing none of the evidence seems to point out is any direct connection to either Iran or Israel.