Jump to content

Us May Have Planted Book Of Esther 'clue' In Stuxnet Attack On Iran Nuclear Plant


Infiltrator

Recommended Posts

A WORM attacking computers in Iran and threatening to shut down the country's first nuclear facility just weeks before it is due to open may have been developed in Israel.

The Stuxnet worm sparked awe and alarm in the world of digital security when it was first identified in June, with analysts claiming it was so powerful, the wealth of resources needed to develop it made a nation-state the most likely culprit.

According to security software experts and analysts, Stuxnet may have been designed to target the Iranian facility at Bushehr and suspicions have fallen on the US as well as Israel.

Iran said this week that Stuxnet is mutating and wreaking havoc on computerised industrial equipment there but denied the Bushehr plant was among the facilities penetrated.

No one has claimed credit for Stuxnet and a top US cybersecurity official said last week that the United States does not know who is behind it or its purpose. Now the New York Times reports that a piece of code dug out of the worm includes a reference to the Book of Esther, the Old Testament story in which the Jews pre-empt a Persian plot to destroy them, and is a possible clue of Israeli involvement.

A file inside the Stuxnet code is named "Myrtus", an allusion to the Hebrew word for Esther, and is a possible Israeli calling card, the Times said.

The other possibility is the reference was placed there as a "red herring" designed to throw investigators off the track or stir political tensions between the two countries.

The Times said the US has also "rapidly ramped up a broad covert program, inherited from the Bush administration, to undermine Iran’s nuclear program".

It noted that there was no consensus among security experts about who may be behind Stuxnet but said "there are many reasons to suspect Israel's involvement".

Israel has poured huge resources into Unit 8200, its secretive cyberwar operation, and Stuxnet may be a "clear warning in a mounting technological and psychological battle" with Iran over its nuclear program, the newspaper said.

The Times said Ralph Langner, a German computer security consultant, was the first to note that "Myrtus" is an allusion to the Hebrew word for Esther.

Shai Blitzblau, head of the computer warfare laboratory at Maglan, an Israeli company specialising in information security, told the Times he was "convinced that Israel had nothing to do with Stuxnet".

"We did a complete simulation of it and we sliced the code to its deepest level," he said. "We have studied its protocols and functionality. Our two main suspects for this are high-level industrial espionage against Siemens and a kind of academic experiment."

Stuxnet specifically attacks Siemens supervisory control and data acquisition, or SCADA, systems commonly used to manage water supplies, oil rigs, power plants and other industrial facilities.

The self-replicating malware has also been found lurking on Siemens systems in India, Indonesia and Pakistan, but the heaviest infiltration appears to be in Iran, according to researchers.

Once resident inside a system, Stuxnet simply waits, checking every five seconds to see if its target parameters are met. Once they are, it triggers a sequence - the code DEADF007 - that forces the network's industrial process to self-destruct.

"After the original code (for the entity's regular process) is no longer executed, we can expect that something will blow up soon," Mr Langner told The Christian Science Monitor earlier this week. "Something big."

Source code:

http://www.news.com.au/technology/who-is-m...0-1225932665892

Link to comment
Share on other sites

I wouldn't say the worm is contained yet, but its certainly mutating or changing its signatures to evade further detection. This is what I love about worms, polymorphism.

Link to comment
Share on other sites

You are right, if the worm is still in the system they would definitely know about it. But according the news article, the worm is mutating, meaning its changing its signatures or form to evade detection.

"Iran said this week that Stuxnet is mutating and wreaking havoc on computerised industrial equipment there but denied the Bushehr plant was among the facilities penetrated."

Whether their system has been penetrated or not, there is always the chance that they don't want to make it publicly. If the system is indeed infected, the worm is probably waiting to the right moment to attack.

"Once resident inside a system, Stuxnet simply waits, checking every five seconds to see if its target parameters are met. Once they are, it triggers a sequence - the code DEADF007 - that forces the network's industrial process to self-destruct."

Edited by Infiltrator
Link to comment
Share on other sites

dun dun dunnnnn. i wonder if any thing is going to happen. and if so what does that mean for computer security and changes that might happen because of an incident.

Thats a damn good question!

Serious threat:

Both Chien and Ferguson said this type of code is a major security concern. "For the broader population, this is definitely a new generation of attack. We're not talking any more about someone stealing someone's credit card numbers, what we're talking about is someone being able to, for example, cause a pipeline to blow up or cause a nuclear centrifuge to go out of control or cause power stations to go down. So we're not taking about virtual or 'cyber' sort of implications here, what we're talking about are real life implications."

Ferguson said "it is a big deal because the utility companies, and manufacturing communities and the power companies and gas and oil companies for years have been using closed propriety systems to manage their infrastructure and over the course of the past few years they've been making business decisions to use off-the-shelf software like Windows." He added that now we're seeing the same threat as with other networks as facilitates are connected to the Internet or allow access to thumb drives. This type of threat, according to Ferguson, is "absolutely new and that's why a lot of people in the intelligence community, in the Department of Homeland Security and different governments around the world are really kind of spooked by this development. It shows the targeted nature and sophistication of the criminal/espionage aspect to this."

Source: http://news.cnet.com/8301-19518_3-20017592-238.html

Edited by Infiltrator
Link to comment
Share on other sites

He added that now we're seeing the same threat as with other networks as facilitates are connected to the Internet or allow access to thumb drives. This type of threat, according to Ferguson, is "absolutely new and that's why a lot of people in the intelligence community, in the Department of Homeland Security and different governments around the world are really kind of spooked by this development. It shows the targeted nature and sophistication of the criminal/espionage aspect to this."

lmao!!! ya threats from the internet are new. never heard of that before.

the past few years they've been making business decisions to use off-the-shelf software like Windows

well theres the problem!

Link to comment
Share on other sites

  • 2 weeks later...

Something keeps bugging me about this worm, and its origin.

Would anybody here possibly consider if Haystack might have been a possible suspect in all this?

It was a project to assist Iranians in bypassing their governments firewalls and web filters, could something been deployed that if an Iranian visited a particular website using Haystack, something could have been downloaded (Stuxnet) back into their own computers, and spread undetected through Iranian networks and USB keys?

The US Government allowed Haystack out to Iran, and bypass the US export restrictions.

It seems strange now that Haystack has "gone to ground" now, the project is in hiatus pending a "security review".

All good timing.

b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb

When searching for these two words on Google, the seventh item is the search order talks about plants. Myrtus or (Chilean) Guava is a perennial bush that grows outside of San Francisco.....home of Haystack...

Just something to throw out to see if line of thinking was logical....

Link to comment
Share on other sites

Everything is possible, they may/may not have anything to do with the spread of the virus, but you do make a point. I reckon the worm was originated somewhere inside Iran, due to the large number of infected machines. But again, that may not be case after all. It may have spread from somewhere overseas and then it may have been programmed not to spread anywhere else but to remain within Iran.

But to make things interesting, the worm infects portions of computers around the worm. Something doesn't smell right in the whole story.

Edited by Infiltrator
Link to comment
Share on other sites

Everything is possible, they may/may not have anything to do with the spread of the virus, but you do make a point. I reckon the worm was originated somewhere inside Iran, due to the large number of infected machines. But again, that may not be case after all. It may have spread from somewhere overseas and then it may have been programmed not to spread anywhere else but to remain within Iran.

But to make things interesting, the worm infects portions of computers around the worm. Something doesn't smell right in the whole story.

Would Iranians really have access to the web enough to learn how to hack?

Anyway, I think it was the Mossad. I don't believe Mr. Pres. would allow this to happen without him receiving credit, especially with Intel CEO's retired and hired alike getting extremely perturbed.

Or does someone else have an opinion that I may perhaps agree with?

Link to comment
Share on other sites

seriously? you know its not just all desert and camels out there.

True, there could be underground labs, you never know.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...