Stuxnet code hints at possible Israeli origin, researchers say

But they warn that misdirection is a common hacker tactic

Security researchers today offered another tantalizing clue about the possible origins of the notorious Stuxnet worm, but cautioned against reading too much from the obscure tea leaves.

In a paper released today and presented at a Vancouver, British Columbia security conference, a trio of Symantec researchers noted that Stuxnet includes references in its code to the 1979 execution of a prominent Jewish Iranian businessman.

Buried in Stuxnet's code is a marker with the digits "19790509" that the researchers believe is a "do-not infect" indicator. If the marker equals that value, Stuxnet stops in its tracks, and does not infect the targeted PC.

The researchers -- Nicolas Falliere, Liam O Murchu and Eric Chen -- speculated that the marker represents a date: May 9, 1979.

"While on May 9, 1979, a variety of historical events occurred, according to Wikipedia "Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community," the researchers wrote.

Elghanian, a prominent Jewish-Iranian businessman, was charged with spying for Israel by the then-new revolutionary government of Iran, and executed May 9, 1979.

According to a contemporary account in Time magazine, Elghanian was the first Jewish Iranian to be executed by the revolutionary government, which seized power after the Shah of Iran, Mohammad Reza Pahlavi, fled the country in January 1979.

"Elghanian, who was convicted of spying for Israel, was said to have made huge investments in Israel and to have solicited funds for the Israeli army, which the prosecution claimed made him an accomplice 'in murderous air raids against innocent Palestinians,'" reported Time.

But Falliere, O Murchu and Chen warned against jumping to the natural conclusion, that the reference pointed to Israel as the origin of Stuxnet. "Attackers would have the natural desire to implicate another party," they said.

Researchers at Symantec, Kaspersky Lab and elsewhere have been pulling apart Stuxnet since it made a public splash in July in attempts to understand how it works and who might have created the worm.

Stuxnet, which has been dubbed the world's most sophisticated malware ever by O Murchu and others, targets Windows PCs that oversee industrial-control systems, called "SCADA" systems, that in turn manage and monitor machinery in power plants, factories, pipelines and military installations.

Stuxnet's complex design and SCADA target has led many to conclude that it was the work of a state-backed group of hackers, while massive infections in Iran hinted that that country's infrastructure, possibly its nuclear facilities, was the intended target.

Last weekend, Iranian officials confirmed that tens of thousands of PCs in their country had been infected by Stuxnet, including some used at a nuclear power plant in southwestern Iran that's planned to go online next month.

The Symantec researchers also revealed a host of other Stuxnet details in their paper, including a "kill date" of June 24, 2012, after which the worm will refuse to execute.

Join the CSO newsletter!

Error: Please check your email address.

Tags symantecsecurityWindowssoftwareoperating systems

More about KasperskyKasperskySymantecWikipedia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place