Stuxnet code hints at possible Israeli origin, researchers say

But they warn that misdirection is a common hacker tactic

Security researchers today offered another tantalizing clue about the possible origins of the notorious Stuxnet worm, but cautioned against reading too much from the obscure tea leaves.

In a paper released today and presented at a Vancouver, British Columbia security conference, a trio of Symantec researchers noted that Stuxnet includes references in its code to the 1979 execution of a prominent Jewish Iranian businessman.

Buried in Stuxnet's code is a marker with the digits "19790509" that the researchers believe is a "do-not infect" indicator. If the marker equals that value, Stuxnet stops in its tracks, and does not infect the targeted PC.

The researchers -- Nicolas Falliere, Liam O Murchu and Eric Chen -- speculated that the marker represents a date: May 9, 1979.

"While on May 9, 1979, a variety of historical events occurred, according to Wikipedia "Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community," the researchers wrote.

Elghanian, a prominent Jewish-Iranian businessman, was charged with spying for Israel by the then-new revolutionary government of Iran, and executed May 9, 1979.

According to a contemporary account in Time magazine, Elghanian was the first Jewish Iranian to be executed by the revolutionary government, which seized power after the Shah of Iran, Mohammad Reza Pahlavi, fled the country in January 1979.

"Elghanian, who was convicted of spying for Israel, was said to have made huge investments in Israel and to have solicited funds for the Israeli army, which the prosecution claimed made him an accomplice 'in murderous air raids against innocent Palestinians,'" reported Time.

But Falliere, O Murchu and Chen warned against jumping to the natural conclusion, that the reference pointed to Israel as the origin of Stuxnet. "Attackers would have the natural desire to implicate another party," they said.

Researchers at Symantec, Kaspersky Lab and elsewhere have been pulling apart Stuxnet since it made a public splash in July in attempts to understand how it works and who might have created the worm.

Stuxnet, which has been dubbed the world's most sophisticated malware ever by O Murchu and others, targets Windows PCs that oversee industrial-control systems, called "SCADA" systems, that in turn manage and monitor machinery in power plants, factories, pipelines and military installations.

Stuxnet's complex design and SCADA target has led many to conclude that it was the work of a state-backed group of hackers, while massive infections in Iran hinted that that country's infrastructure, possibly its nuclear facilities, was the intended target.

Last weekend, Iranian officials confirmed that tens of thousands of PCs in their country had been infected by Stuxnet, including some used at a nuclear power plant in southwestern Iran that's planned to go online next month.

The Symantec researchers also revealed a host of other Stuxnet details in their paper, including a "kill date" of June 24, 2012, after which the worm will refuse to execute.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

Read more about security in Computerworld's Security Topic Center.

This story, "Stuxnet code hints at possible Israeli origin, researchers say" was originally published by Computerworld.

Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies