.

Saturday, October 02, 2010

The tantalizing clue of Myrtus for Stuxnet

From the New York Times, in an article about the Stuxnet worm that is affecting Iranian factories, and possibly their nuclear plants:
Then there is the allusion to myrtus — which may be telling, or may be a red herring.

Several of the teams of computer security researchers who have been dissecting the software found a text string that suggests that the attackers named their project Myrtus. The guava fruit is part of the Myrtus family, and one of the code modules is identified as Guava.

It was Mr. Langner who first noted that Myrtus is an allusion to the Hebrew word for Esther. The Book of Esther tells the story of a Persian plot against the Jews, who attacked their enemies pre-emptively.

“If you read the Bible you can make a guess,” said Mr. Langner, in a telephone interview from Germany on Wednesday.
To be precise, Myrtus=Myrtle=Haddassah, which was the Hebrew name of Esther.

NYT further says:
There are many reasons to suspect Israel’s involvement in Stuxnet. Intelligence is the single largest section of its military and the unit devoted to signal, electronic and computer network intelligence, known as Unit 8200, is the largest group within intelligence.

Yossi Melman, who covers intelligence for the newspaper Haaretz and is at work on a book about Israeli intelligence over the past decade, said in a telephone interview that he suspected that Israel was involved.

He noted that Meir Dagan, head of Mossad, had his term extended last year partly because he was said to be involved in important projects. He added that in the past year Israeli estimates of when Iran will have a nuclear weapon had been extended to 2014.

“They seem to know something, that they have more time than originally thought,” he said.

...something — perhaps the worm or some other form of sabotage, bad parts or a dearth of skilled technicians — is indeed slowing Iran’s advance.

The reports on Iran show a fairly steady drop in the number of centrifuges used to enrich uranium at the main Natanz plant. After reaching a peak of 4,920 machines in May 2009, the numbers declined to 3,772 centrifuges this past August, the most recent reporting period. That is a decline of 23 percent. (At the same time, production of low-enriched uranium has remained fairly constant, indicating the Iranians have learned how to make better use of fewer working machines.)

Computer experts say the first versions of the worm appeared as early as 2009 and that the sophisticated version contained an internal time stamp from January of this year.

Other researchers think that Myrtus might have a completely different meaning:


Personally I'd be surprised if a crack team of Israeli software engineers were so sloppy that they relied on outdated rootkit technology (e.g. hooking the Nt*() calls used by Kernel32.LoadLibrary() and using UPX to pack code). Most of the Israeli developers I've met are pretty sharp. Just ask Erez Metula.
http://www.blackhat.com/presentations/bh-usa-09/METULA/BHUSA09-Metula-ManagedCodeRootkits-PAPER.pdf

It may be that the "myrtus" string from the recovered Stuxnet file path "b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb" stands for "My-RTUs"
as in Remote Terminal Unit. See the following white paper from Motorola, it examines RTUs and PICs in SCADA systems. 
http://www.motorola.com/web/Business/Products/SCADA%20Products/_Documents/Static%20Files/SCADA_Sys_Wht_Ppr-2a_New.pdf
But, as the NYT article mentions, there is a psychological component to cyberwar, and a clue like Myrtus would play into already existing Iranian paranoia.

The good news is that something seems to have slowed down the Iranian nuclear program significantly, and if that hearkens back to Queen Esther's saving the Jews from immoral, genocidal Persian rulers, so much the better.

(h/t EBoZ)