Stuxnet code hints at possible Israeli origin, researchers say
But they warn that misdirection is a common hacker tactic
Computerworld - Security researchers today offered another tantalizing clue about the possible origins of the notorious Stuxnet worm, but cautioned against reading too much from the obscure tea leaves.
In a paper released today and presented at a Vancouver, British Columbia security conference, a trio of Symantec researchers noted that Stuxnet includes references in its code to the 1979 execution of a prominent Jewish Iranian businessman.
Buried in Stuxnet's code is a marker with the digits "19790509" that the researchers believe is a "do-not infect" indicator. If the marker equals that value, Stuxnet stops in its tracks, and does not infect the targeted PC.
The researchers -- Nicolas Falliere, Liam O Murchu and Eric Chen -- speculated that the marker represents a date: May 9, 1979.
"While on May 9, 1979, a variety of historical events occurred, according to Wikipedia "Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community," the researchers wrote.
Elghanian, a prominent Jewish-Iranian businessman, was charged with spying for Israel by the then-new revolutionary government of Iran, and executed May 9, 1979.
According to a contemporary account in Time magazine, Elghanian was the first Jewish Iranian to be executed by the revolutionary government, which seized power after the Shah of Iran, Mohammad Reza Pahlavi, fled the country in January 1979.
"Elghanian, who was convicted of spying for Israel, was said to have made huge investments in Israel and to have solicited funds for the Israeli army, which the prosecution claimed made him an accomplice 'in murderous air raids against innocent Palestinians,'" reported Time.
But Falliere, O Murchu and Chen warned against jumping to the natural conclusion, that the reference pointed to Israel as the origin of Stuxnet. "Attackers would have the natural desire to implicate another party," they said.
Researchers at Symantec, Kaspersky Lab and elsewhere have been pulling apart Stuxnet since it made a public splash in July in attempts to understand how it works and who might have created the worm.
Stuxnet, which has been dubbed the world's most sophisticated malware ever by O Murchu and others, targets Windows PCs that oversee industrial-control systems, called "SCADA" systems, that in turn manage and monitor machinery in power plants, factories, pipelines and military installations.
Stuxnet's complex design and SCADA target has led many to conclude that it was the work of a state-backed group of hackers, while massive infections in Iran hinted that that country's infrastructure, possibly its nuclear facilities, was the intended target.
Last weekend, Iranian officials confirmed that tens of thousands of PCs in their country had been infected by Stuxnet, including some used at a nuclear power plant in southwestern Iran that's planned to go online next month.
The Symantec researchers also revealed a host of other Stuxnet details in their paper, including a "kill date" of June 24, 2012, after which the worm will refuse to execute.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily... All Cybercrime and Hacking White Papers | Webcasts