Code for Stuxnet super-worm that's attacking Iranian computers contains Jewish cultural references

Rick Sanchez just e-mailed to say, “I knew it.”

That use of the word “Myrtus” — which can be read as an allusion to Esther — to name a file inside the code is one of several murky clues that have emerged as computer experts try to trace the origin and purpose of the rogue Stuxnet program, which seeks out a specific kind of command module for industrial equipment…

There are many competing explanations for myrtus, which could simply signify myrtle, a plant important to many cultures in the region. But some security experts see the reference as a signature allusion to [the Book of] Esther, a clear warning in a mounting technological and psychological battle as Israel and its allies try to breach Tehran’s most heavily guarded project. Others doubt the Israelis were involved and say the word could have been inserted as deliberate misinformation, to implicate Israel.

There are many reasons to suspect Israel’s involvement in Stuxnet. Intelligence is the single largest section of its military and the unit devoted to signal, electronic and computer network intelligence, known as Unit 8200, is the largest group within intelligence.

That’s not the only telltale allusion. Bill Jacobson flagged another example reported by the antivirus company Symantec, a possible reference in the coding to the date May 9, 1979. Why’s that significant? Because it happens to be the date when the new Khomeinist government in Iran executed one of the country’s most prominent Jewish citizens, kick-starting a mass Jewish exodus. Here’s my question, though: If Israel is behind the Stuxnet worm, why would they deliberately leave calling cards for the Iranians to find? Iran’s going to assume that Israel’s responsible anyway; there’s no need to leave a breadcrumb trail. Logically it seems more likely that another nation’s to blame for the worm and is tossing in a few red herrings to make Iran think it’s Israel. On that note, a fascinating detail from Jonathan Last’s fantastic overview of Stuxnet at the Weekly Standard:

The functionality of Stuxnet is particularly interesting. The worm gains initial access to a system through a simple USB drive. When an infected USB drive is plugged into a machine, the computer does a number of things automatically. One of them is that it pulls up icons to be displayed on your screen to represent the data on the drive. Stuxnet exploited this routine to pull the worm onto the computer. The problem, then, is that once on the machine, the worm becomes visible to security protocols, which constantly query files looking for malware. To disguise itself, Stuxnet installs what’s called a “rootkit”—essentially a piece of software which intercepts the security queries and sends back false “safe” messages, indicating that the worm is innocuous.

The trick is that installing a rootkit requires using drivers, which Windows machines are well-trained to be suspicious of. Windows requests that all drivers provide verification that they’re on the up-and-up through presentation of a secure digital signature. These digital keys are closely-guarded secrets. Yet Stuxnet’s malicious drivers were able to present genuine signatures from two genuine computer companies, Realtek Semiconductor and JMichron Technologies. Both firms have offices in the same facility, Hsinchu Science Park, in Taiwan. No one knows how the Stuxnet creators got hold of these keys, but it seems possible that they were physically—as opposed to digitally—stolen.

Our own J.E. Dyer speculated last week that China also has the means, motive, and opportunity to pull this off, not just the U.S. and Israel. The Taiwan connection is an interesting data point in that context. Follow the link above and read all of Last’s piece, though, as it’s the clearest explanation I’ve seen so far about why Stuxnet is such a world-beater. The background will serve you well as news continues to come about it in the coming weeks. Says the technical director of Symantec, who still can’t quite believe what he’s dealing with here, “I’ve been dealing with malicious code threats for 15 to 20 years now, I’ve seen every large sort of outbreak, and we’ve never seen anything like this. It’s fundamentally changed our job, to be honest.” That story’s worth reading in full too, as it raises the horrible prospect of hackers getting hold of Stuxnet and tweaking it to form their own cyberwarfare mega-weapon.