| Donate $25 for two DVDs of the Cryptome collection of files from June 1996 to the present |
1 October 2010
Stuxnet Myrtus or MyRTUs?
A sends:
John Markoff in the New York Times has written an article which intimates that the Stuxnet worm may be the work of Israel's Unit 8200.
http://www.nytimes.com/2010/09/30/world/middleeast/30worm.html
According to Markoff,
"Several of the teams of computer security researchers who have been dissecting the software found a text string that suggests that the attackers named their project Myrtus... an allusion to the Hebrew word for Esther. The Book of Esther tells the story of a Persian plot against the Jews, who attacked their enemies pre-emptively."
Really? Personally I'd be surprised if a crack team of Israeli software engineers were so sloppy that they relied on outdated rootkit technology (e.g. hooking the Nt*() calls used by Kernel32.LoadLibrary() and using UPX to pack code). Most of the Israeli developers I've met are pretty sharp. Just ask Erez Metula.
http://www.blackhat.com/presentations/bh-usa-09/METULA/BHUSA09-Metula-ManagedCodeRootkits-
PAPER.pdf
It may be that the "myrtus" string from the recovered Stuxnet file path
"b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb" stands for "My-RTUs"
as in Remote Terminal Unit. See the following white paper from Motorola, it examines RTUs and PICs in SCADA systems. Who knows? The guava-myrtus connection may actually hold water.
As you can see, the media's propaganda machine is alive and well.