1. Computing

Debunking the Bunk of Stuxnet

By October 2, 2010

Follow me on:

The highly sophisticated SCADA-attacking Stuxnet worm first came under notice in July 2010 when a rootkit driver used by the worm was found to have been signed by a stolen Realtek certificate.

Since the Stuxnet discovery, security researchers and laypersons across the globe have been busy reverse engineering and analyzing clues in the worm's code. Some have proffered their opinion that Stuxnet was the work of the Israeli government, targeted against Iran.

Unfortunately, much of these conclusions were based not an actual analysis, but instead by reading Wikipedia articles.

Following are the common points made in the Israel targeting Iran theory:

1. Stuxnet contains the string 19790509 - obviously a date of May 09, 1979. That date coincides with the Iranian's execution of Habib Elghanian, a prominent Jewish businessman in Iran as seen in this Wikipedia article.

2. The Stuxnet rootkit driver includes the path b:\myrtus\src\objfre_w2k_x86\i386 \guava.pdb. According to Wikipedia:

"Hadassah means 'myrtle' in Hebrew. It has been conjectured that the name Esther is derived from a reconstructed Median word astra meaning myrtle."

3. Stuxnet infections are most prolific in Iran, therefore Iran must be the target.

All this 'evidence' sounds pretty compelling, right? Actually no. Let's take a look at each, plus introduce some of the ignored evidence also contained within the Stuxnet worm's code.

1. The 19790509 string. Certainly it is a date, yes. Is it a date that the people of Israel would hold close to their hearts? Probably not. Habib may have been Jewish, but he was also an Iranian citizen - not an Israeli. It's doubtful most people from Israel have even heard of him. On the date of his execution for alleged spying, he was put to death alongside 37 other men (most of whom were also convicted of spying). He was the only Jewish person among them.

2. Remember that file path of b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb? Esther would be a pretty obscure connection. Myrtus is much more commonly known as the botanical term for myrtle, a family of plants that include flowering trees and other plants such as garlic, eucalyptus, and even guava. Myrtus could also easily be construed as My RTUs. In SCADA environments, RTU is a commonly used term for remote terminal unit. Isn't it more plausible that the Stuxnet author named the folder myrtus (meaning My RTUs) then realized it also read myrtus, the botanical term, and hence named his file guava?

3. Regarding the worm's infection rate, Stuxnet's geographical distribution is impossible to quantify. Initial reports are skewed by vendor distributions in any given area. Sell more antivirus in Iran than you do in Indonesia? Chances are you will see more Stuxnet in Iran than you would in Indonesia.

After infecting a machine, the Stuxnet worm makes outbound connection attempts  to mypremierfutbol.com and todaysfutbol.com. Subsequent reports gathered by intercepting the worm's 'phone home' traffic are biased by two factors. SCADA systems are generally not Internet connected; only those systems infected that have a live connection will make that outbound attempt. Second, the systems that are getting infected are a reflection of systems not protected by antivirus. Those systems encountering the worm but which are adequately protected will not get infected and thus will not make that outbound attempt.

Further, not a single researcher disagrees that Stuxnet is a highly sophisticated worm. Stuxnet was specifically designed to jump to machines that were not Internet connected. It was designed to spread through SCADA systems, the control centers for critical infrastructure. Given it's sophistication and steroidal worm capabilities, it's difficult to believe the spread is just one big 'oops'.

4. The Stuxnet worm includes a kill date (a date after which it will self destruct). That kill date is June 24, 2012. Astrologically and astronomically, June 24, 2012 is the date that Pluto in Capricorn squares off against Uranus in Aries. Referred to astrologically as the grand cross, it is allegedly the kickoff for a 3 year period of revolutionary changes that eventually lead to a single world government (aka World War III). Or as other toothsayers allege, it's also the kick off for the beginning of the end of the world as we know it in December 2012, based on Mayan Calendar interpretations.

Perhaps what we really have here is someone born on May 9, 1979, probably male. This 31 year old Taurus is very adept at programming and probably has first-hand knowledge of SCADA systems. He has enough patience and determination to ferret out 4 separate zero day vulnerabilities - the kind of determination driven more by emotion than money.  He's studied botany enough that when he typed a folder name for "my RTUs" he instantly realized it matched myrtus aka the myrtle genus, and hence named the file guava. He also natively equates soccer with futbol. He may have strong environmental opinions and more than a casual interest in astrology.

But the one thing none of the evidence seems to point out is any direct connection to either Iran or Israel.

Comments
October 4, 2010 at 7:47 am
(1) david says:

what is a toothsayer? Is that a dentist?

October 4, 2010 at 7:54 am
(2) Umacf24 says:

Thank you.

I prefer your analysis to the “Cyber Super-Weapon” we’ve been hearing about, because as super-weapons go, the overall effect seems to be a puny waste of zero-day vulns and classy malware code.

But I do struggle to understand how anyone so skillful could miss the alternative potential of those vulns. I think there is more to learn about Stuxnet.

Tom

October 4, 2010 at 8:49 am
(3) CC says:

This is all quite logical and I truly doubt israel is behind this, they are a convenient target for many conspiracy theories and generally easy to pick up and blame for anything that involves wars and spies in potential.

Mary Landesman,I want to point out 1 theory that you didn’t cover, it is the theory that suggest stuxnet is an alien quantum computing virus, it is obviously not true but I think you might wish to add a section to clarify this issue, as ridicules as it may sound this rumored theory is easy to find with a search.

October 4, 2010 at 10:24 am
(4) Afuru says:

Stuxnet is a research! We should all be ready for attacks such as this. We do not need machines or systems with such ‘Vulnerability’ exploited by Stuxnet.
Stuxnet may not even cause the sort of harm it is feared to to be capable of, but it is a signal for attacks that can change the course of a speed train or direction of a plane.
We may be afraid of this virus but it is part of a study that will lead to real things to be afraid of.

October 4, 2010 at 11:56 am
(5) Sue says:

I believe the date to read September 5th – though in 1972 – referring to the Munich Massacre where Israeli olympic team members were murdered by Black September. 11 athelets in total, 2 (1972) killed immediately and 9 (1979) later while in helicopters. September 11th was the closing day of that Olympics. East Germany won the Sept. 5 football match against Mexico (guava’s native) 7-0. Guava is used to fight infections. Myrtle is the symbol for Eden, as well as the strongest force in the universe.

October 4, 2010 at 2:55 pm
(6) runswithbeer says:

Folks Drive B:\ don’t exist no mo. I am probably the only person on the planet who has a drive B in their computer. It’s a 360k/1.2 MB Floppy drive. I have never seen a Thumb Drive map to drive B in Linux or Windoes.

October 4, 2010 at 3:13 pm
(7) Mary Landesman says:

Runswithbeer: anyone can map a drive to b:\. It’s not a *thing*, it’s a configurable designation. Yes, in the old days a:\ and b:\ were typically the default designations for floppy drives, but even default drive designations could be changed then (and of course still can be now). Also, it refers to a path that existed on the attacker’s computer; it has nothing to do with the functioning of the worm itself.

October 6, 2010 at 1:27 pm
(8) bORegon says:

Guava is most likely part of a name or ingredient on a bottle on her desk. Code more. C Theorise less.
–Mango

October 8, 2010 at 7:58 am
(9) envirotex says:

A refreshing read given all the wild speculation and nonsense.

I’m liking this RTU angle,
http://cryptome.org/0002/myrtus-v-myRTUs.htm

Thanks for the article.

October 9, 2010 at 7:48 am
(10) Dave says:

All of the “analysis” that points at Israel is an example of a common logical fallacy called the Texas sharpshooter fallacy, from the concept of a Texan who fires some random shots into the side of a barn and then paints a target centered where the shots fell. By carefully picking two or three random numbers or strings of letters related to Stuxnet and ignoring the rest, you can “find” whatever evidence you need to tie it to pretty much anywhere.

As a quick challenge, anyone want to figure out how to “prove” it came from Burkina Faso? For a starter, if you take the stuxnet magic number 19790509 and divide it by the speed of light in miles per second over 1000 then you get 106,000, which is nearly 105,900, the area of Burkina Faso. See if you can find two more factors to make it the other contender besides Israel. For bonus points, prove that the country of origin is Suriname rather than Burkina Faso.

October 19, 2010 at 2:31 pm
(11) Colin Copley says:

All this looking in the code for clues, it seems pointless for me.

Reverse the code to find out what the thing is doing, put you can’t start inferring things from what might be random strings or meaningless variables 19720509 may not even be a date.

And why leave clues in there when it doesn’t accomplish anything. I don’t believe anything will come of this speculation either. But I still believe it’s an Israeli worm, just not from any of these *clues*

November 29, 2010 at 10:51 pm
(12) Marek says:

Did you think of the date September 5th. A lot of countries in the world write first the Day and then the month.

November 30, 2010 at 11:16 pm
(13) Dom says:

Ahmadinejad thinks it was Wikileaks but May 7th 1979 – something about SALT2? Nobody would finger Russia upselling to Iran, they’ve possibly done the world a favour. That could explain why the targets are scattered and why western agencies have to work at limiting the spread.

December 1, 2010 at 10:39 pm
(14) Chris says:

Marek:

Typically when you write a date as a programmer and begin with the year, you’re working with a “big endian” format which runs Year-Month-Day. It would be idiosyncratic to write Year-Day-Month in this context.

January 18, 2011 at 9:50 am
(15) DC says:

So now that we know Israel and the United States actually did this, doesn’t that leave you with egg on your face?

You should print a new article and apologize to everyone for the nonsense written in this article.

January 18, 2011 at 10:39 am
(16) RexKramer says:

ROFLBBQ! http://www.spacedaily.com/reports/Israel_tested_Stuxnet_on_Iran_with_US_help_report_999.html

Egg on the face? Better not, I like eggs. They can have manure, though ;)

January 18, 2011 at 11:22 am
(17) Mary Landesman says:

No egg here. I prefer to take facts at face value instead of trying to spin them with the help of anonymous sources and non-credible former psychologists. Remember too that some newspapers reported heavily on the Israeli conspiracy to begin with and some may have some desire (consciously or otherwise) to avoid their own egg face. In any event, speculation from anonymous sources (and even worse, anonymous sources that are listed as “former” officials) doesn’t add up to any more than gossip and rumor-mongering, i.e. not fact.

January 18, 2011 at 4:27 pm
(18) Political Atheist says:

Hey, what do you know? New York Times just confirmed that Stuxnet was the work of US and Israel.

http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html

How many times do governments have to get caught lying to you before you start to think for yourselves?

January 18, 2011 at 9:52 pm
(19) James says:

The recent New York Times article debunks your “debunking”. I simply do not understand all the vitriol directed at us conspiracy realists. We are only trying to help the ignorant masses understand how badly they’ve been deceived. Remember, the government wanted to use this issue to restrict your internet freedom. However, as the elite well know, this is beyond your level of comprehension which is precisely why they are in control.

http://www.infowars.com/stuxnet-another-conspiracy-theory-turns-out-to-be-true/

March 4, 2011 at 9:47 am
(20) Chris Siess says:

As it turns out it was a effort by AmerIsreal to create a new Chernobyl. Which means that all the articles “debunking” this claim were nothing but AmerIsrael propaganda aimed at the American people. The Iranian people have every Right to defend themselves and it obvious that AmerIsrael poses a threat to all Humanity. Therefore the Iranians have every to counterattack. So when you see more dead Americans, you’ll know the cause. When AmerIsrael throws off the Zionist yoke and starts behaving in a civilized manner maybe total annihilation can be averted.

March 7, 2011 at 2:07 pm
(21) Mary Landesman says:

Wow. Some serious conspiracy theorists. Don’t know whether to laugh or cry. Anyway, for those who are interested more in fact than fiction, here are a few other Stuxnet debunkings to consider:
Stuxnet, Winsta.exe, and Cover-Ups

March 9, 2011 at 6:37 pm
(22) tamur says:

How can we change the geographical information on Stuxnet ?
or
which geographical area stuxnet focused on?

January 23, 2012 at 3:16 am
(23) chicnextdoor says:

June 24 happens to be mason universal brotherhood day…creepy

Leave a Comment

Line and paragraph breaks are automatic. Some HTML allowed: <a href="" title="">, <b>, <i>, <strike>

©2014 About.com. All rights reserved.